BESS Logo
BESS.COM.UA Energy Systems
UA
Ukrainian Version (UA)

Engineering Department

sales@bess.com.ua
044 339-50-20
Cybersecurity EMS/SCADA for BESS: standard IEC 62443 (2026) | BESS.UA

EMS/SCADA cyber security:
IEC 62443 for industrial BESS

05.06.2026 11 min read Security
IEC 62443
IACS security standard
SL 1–4
security levels under criticality
Defense
in depth — echelon defense
OT ≠ IT
availability above all else

BESS is not just a battery, but a cyber-physical system: dozens of controllers, EMS, BMS, inverters of PCS, remote monitoring and communication channels of SCADA and, increasingly, of VPP market platforms. Each of these elements is a potential attack vector. A compromised EMS can not only stop the operation of the drive, but also create an emergency mode at the critical infrastructure facility. In 2026, operational technology (OT) cybersecurity has ceased to be an “option for the paranoid” and has become a requirement for bankability and insurance. In this material, how the IEC 62443 standard protects industrial BESS.

"It is not the 'battery' that is under attack, but its brain - the EMS and the control channels. BESS security is not an antivirus, but an architecture: segmentation, trust levels and control of each connection." — OT Security, BESS Ukraine.

Why BESS is a target for cyber attack

Modern industrial BESS is deeply integrated into the digital infrastructure of the enterprise and power system. It is this connectivity that gives advantages (remote monitoring, participation in markets, predictive optimization) and creates an attack surface. Understanding the vectors is the first step to protection.

EMS / controller

The central "brain" of charge-discharge control. Compromise = full control over system behavior.

Remote access

Cloud monitoring and service VPN channels are convenient for engineers, attractive for attackers.

SCADA protocols

Modbus TCP and other industrial protocols have historically been designed without encryption or authentication.

Supply chain

Inverter firmware, BMS and third-party software — the risk of “bookmarks” and vulnerabilities in components.

What the IEC 62443 standard gives

IEC 62443 is an international standard for cyber security of industrial automation and control systems (IACS). Unlike "office" IT security, it takes into account the specifics of OT: the priority of availability and process security over privacy, long life cycles of equipment, real time. The key concept is Security Levels (SL) and dividing the system into zones & conduits.

LevelWho is he protecting from?An example of a threat
SL 1Accidental / unintentional actionsStaff error, crash
SL 2Deliberate, simple meansLow-skilled attacker, typical tools
SL 3Deliberate, special meansPrepared attack, knowledge of IACS systems
SL 4Deliberate, significant resourcesTargeted attack on critical infrastructure

The target level of SL is chosen according to the criticality of the object: for a commercial Retail object, one level is enough, for a hospital, water supply or an object operating in the auxiliary services market, the requirements are significantly higher.

Architecture of a secure BESS

Security according to IEC 62443 is not based on one "magical" tool, but on the principle of echeloned defense (defense in depth): several independent levels of protection, each of which deters an attack, even if the previous one has been passed.

  • Network segmentation (zones & conduits): division into trust zones — battery level, management level, monitoring, corporate network — of controlled channels between them.
  • Access control: role authentication, rejection of shared passwords, principle of least privileges for operators and service.
  • Protected channels: encryption and authentication of remote access, VPN of strict control, rejection of "naked" protocols where possible.
  • Monitoring and response: logging of events, detection of anomalies in control traffic, notification of personnel on duty.
  • Lifecycle Safety: managed firmware update, supply chain component validation, incident response plan.

OT vs IT security priorities

Accessibility
highest priority in OT
Integrity
critical for management
Process safety
life safety
Privacy
important, but not #1

This is a fundamental difference from office IT: in OT, it is not permissible to "turn off" the system for the sake of data security, because the stoppage of BESS at a critical object is itself an incident. Therefore, the protection is designed so as not to sacrifice the availability and security of the process.

Why it affects money

BESS cyber security is not only a technical issue, but also a financial one. Banks and donors consider cyber risks when assessing project bankability. Insurance companies look at the availability of appropriate measures when determining the premium and terms of coverage. And for critical infrastructure facilities, the requirements for OT protection may be regulatory. It is cheaper to include IEC 62443 in the project at the start than to "screw" security to an already working system.

Planning a BESS at a critical facility or want to test the cyber resilience of an existing system? Let's discuss IEC 62443 security architecture - click the button below.

Frequently Asked Questions

Can BESS really be hacked through a cyber attack?
So, theoretically, any cyber-physical object of digital control and external communication channels is vulnerable. The most attractive vectors are EMS (central controller), remote access channels, and industrial SCADA protocols, which have historically lacked encryption and authentication. The goal of the attack is usually not the "battery" as such, but its management: stopping the operation, creating an emergency mode, or using the object as an entry point to the enterprise network. That is why protection is built at the architecture level, not just antivirus.
What is IEC 62443 and how does it differ from conventional IT security?
IEC 62443 is an international standard for cyber security of industrial automation and control systems (IACS). Home is different from office IT security — priorities: in OT, availability and process security come first, followed by data privacy. The standard takes into account real time, long life cycles of equipment and the inadmissibility of "just turning off" the system. Key concepts — security levels (SL 1–4) under the criticality of the facility and the division into zones and conduits of echeloned defense.
What Security Level (SL) is required for my BESS?
Depends on the criticality of the object. Lower levels are usually sufficient for a commercial Retail facility (supermarket, shopping center). For a hospital, water utility, life support facility or BESS participating in the ancillary services market or VPP, the requirements are higher - up to SL 3. The level is chosen based on the result of the risk assessment: who is the potential attacker, what are the consequences of the compromise, what regulatory requirements are in place. We determine the target SL at the design stage and implement appropriate measures.
Does cyber security affect BESS insurance and funding?
Yes, more and more. Banks and donors consider cyber risks as part of the overall risk profile when assessing project bankability. Insurance companies look at OT protections when determining premiums and coverage terms — weak cyber security can make insurance more expensive or limit coverage. For critical infrastructure, protection requirements may also be regulatory. Therefore, the inclusion of IEC 62443 in the project is not only a technical, but also a financial expediency.
Is it cheaper to start with cybersecurity or add it later?
Definitely at the start. Security according to IEC 62443 is an architectural solution: network segmentation, trust levels, secure channels, access control. Building it into the project at the design stage is much cheaper and more efficient than "screwing" it to an already mounted and working system, where you have to redo the topology, replace equipment and stop work. A security retrofit is always more expensive and less reliable than the protection built into the design from the start.

Cyber ​​resilience audit

We will assess the threat vectors of your BESS and design a protection architecture according to IEC 62443.

Read also